💬 Communicating Cyber: Check out episode 3 of Cydea’s Communicating Cyber series, where Nisha Patel shares her journey on becoming a CISO and her tips to gain trust and buy-in from senior leadership. WATCH
This week
- Four arrested for UK retail cyber attacks
- Citrix users urged to patch actively exploited vulnerability
- Suspected Iranian front group pushing ransomware attacks on US, Israel
- SEC and SolarWinds settle alleged case of misleading investors
- ChatGPT protections preventing sensitive data leaks bypassed by asking it to play a game
- McDonald’s hiring bot used the password 123456
Interesting stats
$920 cybercriminals paid for company credentials, and another $1,850 to execute commands by the employee of C&M Software, a Brazilian payments software provider, in a heist that netted them almost $140 million from six banks. LINK
Five things
-
Retail cyber attack arrests: UK police arrested four people on suspicion of Computer Misuse Act offences on Thursday morning, in connection with the attacks on Marks & Spencer, Co-op, and Harrods. The National Crime Agency said a 17-year-old Brit and a 19-year-old Latvian national from the West Midlands, a 19-year-old Brit in London, and a 20-year-old woman from Staffordshire were arrested in their homes. Authorities are not releasing their names at this time. Also this week, M&S boss Archie Norman faced a parliamentary committee, telling MPs the attack was “like an out of body experience”. That matches my personal experience working with other execs in similar situations: it’s a really traumatic experience for victims. Norman said that a key online distribution centre was still offline following the attack, which he confirmed started with ‘sophisticated’ social engineering and a third party. Norman said M&S had promptly reported the issue to authorities, and that mandatory reporting is a “very interesting idea”, as he believes two other “large British companies” had suffered breaches that have gone unreported in recent months. ARRESTS, SOCIAL ENG, REPORTING
-
Citrix Bleed 2: CISA is warning that attackers are actively exploiting a critical vulnerability in Citrix NetScaler. Dubbed Citrix Bleed 2, CVE-2025-5777 (9.3/10) stems from poor input validation, and attacks can exploit it to steal post-authentication session tokens. It shares similarities with the original ‘Citrix bleed’ issue discovered in 2023. Because the tokens are issued after a successful authentication, an attacker can circumvent the login process and gain access to the user’s resources. Citrix has downplayed the issue and not shared indicators of compromise, leading to criticism from the security community. Cydea’s risk advisory provides details of the risk posed and outlines the necessary actions to take. CITRIX BLEED, CYDEA, CISA, ADVISORY
-
Iranian-linked ransomware group Pay2Key has returned from a five-year hiatus, encouraging affiliates to mount attacks against the US and Israel; the group is believed to be a front for Iran’s Pioneer Kitten group. Indirect action tactics like this have featured as hypothesis in other incidents recently, such as a fire at a warehouse in East London carried out by a group of men paid by Russia’s Wagner Group, or ships suspected of deliberately dragging their anchor to disrupt subsea cables. Of course, there are no rumours of Western intelligence funding similarly deniable operations. PAY2KEY
-
The SEC and SolarWinds have settled a lawsuit alleging that the company and its CISO, Timothy Brown, “defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.” Russian threat actors compromised SolarWinds in 2020 and used the firm’s remote management software to compromise customer environments, and the SEC filed charges in 2023. Details of the settlement have not been made public. SOLARWINDS
-
Shall we play a game? A researcher got ChatGPT to expose information by asking it to play a game and then ‘giving up’. The info in question? Microsoft Windows 10 licence keys that have been hoovered up by OpenAI’s insatiable appetite for data on the web and beyond. CHATGPT
In brief
-
🕹️ Activision took down its Call of Duty: WWII game last weekend after reports that PC users’ computers were being compromised. ACTIVISION
-
🪲 Fortinet has fixed a critical pre-auth SQL injection vulnerability in its FortiWeb web application firewall, CVE-2025-25257 (9.6/10). FORTINET (ADVISORY)
-
🔁 More information is now available on Microsoft’s forthcoming “Quick Machine Recovery (QMR)” feature that will enable Windows 11 computers to boot into a recovery environment, helping to negate some of the impact of fatal software updates, like that unleashed by CrowdStrike in 2024. QMR
-
🧿 Tom Kemp, head of the California Privacy Protection Agency (CPPA), interviewed by Suzanne Smalley of The Record, on adapting to evolving data protection requirements, the risk of scaled accessibility to personal data, and emerging privacy regulation. CCPA
-
🇨🇳 Italian authorities have arrested a Chinese man on suspicion of helping the state-backed Hafnium group. Xu Zewei, 33, is alleged to have been involved in cyber-espionage, targeting the theft of US research into the COVID-19 virus and the mass-exploitation of vulnerabilities in Microsoft Exchange servers. HAFNIUM
-
▶️ TikTok has recruited senior ICO staffer Stephen Bonner. TikTok is appealing a £12.7 million fine issued by the ICO, leading to calls that the recruitment represents a conflict of interest. An ICO spokesperson says that Bonner, the deputy commissioner for regulatory supervision, was not a decision maker in either of its recent TikTok investigations. TIKTOK
And finally
- I’m lovin’ it: McHire, an AI hiring bot used by McDonald’s, was accessible via the password
123456, potentially exposing the details of 64 million job seekers. Would you like fries with that? MCHIRE